Overview

overview

10

Static

static

1

11.exe

windows7-x64

10

11.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    22-01-2025 02:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    11.exe

  • Size

    141KB

  • MD5

    ca2750660e7a4925be67111398c41ba3

  • SHA1

    c34ad86ab7d09eb561ea93d3043c50501b59a95a

  • SHA256

    f6ea483197e1068338d1a9f15f30acd504592e233ed48c99a3ec2d0bff4bfe07

  • SHA512

    ff8a1f0df2e14b662c6947ccafc87587edd22f50dd52f5e1af309c457d321aa5c46bdbfeafdd8aeee4b05403550892d3facba88b03bc700b5e19593046307553

  • SSDEEP

    3072:L507+DpnZ7oDJX6AyU0Rc4OSSIfO0mZxQeUF53Gbph1s27T:u72zMVqgWc4btfO02xi/Gbph1R7T

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

y-9.qq-weixin.org:7000

Mutex

EO9XSpj51dU3wDN4

Attributes
  • Install_directory

    %AppData%

  • install_file

    escsvc.exe

aes.plain

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Downloads MZ/PE file
  • Drops startup file 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 4 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 42 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
    defense_evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\11.exe
    "C:\Users\Admin\AppData\Local\Temp\11.exe"
    1⤵
    • Drops file in Windows directory
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    PID:2424
  • C:\Windows\escsvc\escsvc64.exe
    C:\Windows\escsvc\escsvc64.exe
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Modifies data under HKEY_USERS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2992
    • C:\Users\Admin\AppData\Roaming\Microsoft\escsvc.exe
      C:\Users\Admin\AppData\Roaming\Microsoft\escsvc.exe
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2840
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\escsvc.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2552
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'escsvc.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2372
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\escsvc.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1920
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'escsvc.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2080
    • C:\Users\Admin\AppData\Roaming\Microsoft\msna.exe
      C:\Users\Admin\AppData\Roaming\Microsoft\msna.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      PID:2784

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    577e483fa6850e8ea77ac05bdc0da07f

    SHA1

    b57804ca9ba9157aa2aa813130d495d63dcfb332

    SHA256

    1ab87aff8caf6eea58c1b6080587514166075f2ca808284a145017e679c86f5b

    SHA512

    89c376ada8826c8b15aebdf624a5412907c26aa36ae35baea4b994b08dab3783b1a04902893db361ff0fa0a5706f778b82332a8e141d2c2d2feedb5322fa455f

    Download Submit

  • \Users\Admin\AppData\Roaming\Microsoft\escsvc.exe
    Filesize

    141KB

    MD5

    58b45125dfd1aa1745ef2c41a2f27898

    SHA1

    b58110de9e3b2bc882f260058cfbb8ef758543b2

    SHA256

    f5742d8ecf701dfd8bef2ab0eb04767f92e6a845f4f8a932bf6a8a7f9cce5f5c

    SHA512

    01475c4ad4511f2cc1fbbd8e3f7118ebcf1d6d8f4aa8688be0e97a610ba61de347ea830c0fd90d772e3d2a70bc53225ae1968625e438495f026715f2364289ef

    Download Submit

  • \Users\Admin\AppData\Roaming\Microsoft\msna.exe
    Filesize

    141KB

    MD5

    ca2750660e7a4925be67111398c41ba3

    SHA1

    c34ad86ab7d09eb561ea93d3043c50501b59a95a

    SHA256

    f6ea483197e1068338d1a9f15f30acd504592e233ed48c99a3ec2d0bff4bfe07

    SHA512

    ff8a1f0df2e14b662c6947ccafc87587edd22f50dd52f5e1af309c457d321aa5c46bdbfeafdd8aeee4b05403550892d3facba88b03bc700b5e19593046307553

    Download Submit

  • \Windows\escsvc\escsvc64.exe
    Filesize

    141KB

    MD5

    7f6b9b8bebd2aa74fbb6d09dfe05fa70

    SHA1

    7dac56d6d0a7404f2c48f27a3c4076925187dc55

    SHA256

    41c4dbdc930b25852998c0024dc34df8480ccd190bd751659fbbf578e7ad546a

    SHA512

    ea02558c260aa2a892c89f76e2309233a741af119c28575ed41a309ffe1bffd31addbdfc473001f324ed87d53be1745afdbeec46706b47b868768a00bad6b109

    Download Submit

  • memory/2372-91-0x000000001B230000-0x000000001B512000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2372-92-0x0000000002510000-0x0000000002518000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2424-38-0x0000000180000000-0x0000000180079000-memory.dmp

    Filesize

    484KB

    Download

  • memory/2424-1-0x0000000000250000-0x00000000002C5000-memory.dmp

    Filesize

    468KB

    Download

  • memory/2424-10-0x0000000180000000-0x0000000180079000-memory.dmp

    Filesize

    484KB

    Download

  • memory/2424-11-0x0000000180000000-0x0000000180079000-memory.dmp

    Filesize

    484KB

    Download

  • memory/2424-12-0x0000000180000000-0x0000000180079000-memory.dmp

    Filesize

    484KB

    Download

  • memory/2424-13-0x0000000180000000-0x0000000180079000-memory.dmp

    Filesize

    484KB

    Download

  • memory/2424-33-0x0000000180000000-0x0000000180079000-memory.dmp

    Filesize

    484KB

    Download

  • memory/2424-32-0x0000000180000000-0x0000000180079000-memory.dmp

    Filesize

    484KB

    Download

  • memory/2424-0-0x00000000001E0000-0x00000000001E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2424-9-0x0000000180000000-0x0000000180079000-memory.dmp

    Filesize

    484KB

    Download

  • memory/2424-31-0x0000000180000000-0x0000000180079000-memory.dmp

    Filesize

    484KB

    Download

  • memory/2424-39-0x0000000180000000-0x0000000180079000-memory.dmp

    Filesize

    484KB

    Download

  • memory/2424-2-0x0000000180000000-0x0000000180079000-memory.dmp

    Filesize

    484KB

    Download

  • memory/2424-37-0x0000000180000000-0x0000000180079000-memory.dmp

    Filesize

    484KB

    Download

  • memory/2424-36-0x0000000180000000-0x0000000180079000-memory.dmp

    Filesize

    484KB

    Download

  • memory/2424-35-0x0000000180000000-0x0000000180079000-memory.dmp

    Filesize

    484KB

    Download

  • memory/2424-34-0x0000000180000000-0x0000000180079000-memory.dmp

    Filesize

    484KB

    Download

  • memory/2552-82-0x000000001B440000-0x000000001B722000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2552-83-0x00000000024E0000-0x00000000024E8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2784-70-0x0000000180000000-0x0000000180079000-memory.dmp

    Filesize

    484KB

    Download

  • memory/2784-74-0x0000000180000000-0x0000000180079000-memory.dmp

    Filesize

    484KB

    Download

  • memory/2784-66-0x0000000180000000-0x0000000180079000-memory.dmp

    Filesize

    484KB

    Download

  • memory/2784-67-0x0000000180000000-0x0000000180079000-memory.dmp

    Filesize

    484KB

    Download

  • memory/2784-59-0x0000000180000000-0x0000000180079000-memory.dmp

    Filesize

    484KB

    Download

  • memory/2784-62-0x0000000180000000-0x0000000180079000-memory.dmp

    Filesize

    484KB

    Download

  • memory/2784-61-0x0000000180000000-0x0000000180079000-memory.dmp

    Filesize

    484KB

    Download

  • memory/2784-60-0x0000000180000000-0x0000000180079000-memory.dmp

    Filesize

    484KB

    Download

  • memory/2784-58-0x0000000180000000-0x0000000180079000-memory.dmp

    Filesize

    484KB

    Download

  • memory/2784-52-0x0000000180000000-0x0000000180079000-memory.dmp

    Filesize

    484KB

    Download

  • memory/2784-68-0x0000000180000000-0x0000000180079000-memory.dmp

    Filesize

    484KB

    Download

  • memory/2784-71-0x0000000180000000-0x0000000180079000-memory.dmp

    Filesize

    484KB

    Download

  • memory/2784-69-0x0000000180000000-0x0000000180079000-memory.dmp

    Filesize

    484KB

    Download

  • memory/2784-72-0x0000000180000000-0x0000000180079000-memory.dmp

    Filesize

    484KB

    Download

  • memory/2784-73-0x0000000180000000-0x0000000180079000-memory.dmp

    Filesize

    484KB

    Download

  • memory/2840-86-0x000007FEF66E0000-0x000007FEF70CC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2840-65-0x0000000002380000-0x0000000002390000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2840-44-0x00000000003E0000-0x00000000003E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2840-64-0x000007FEF66E3000-0x000007FEF66E4000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2840-49-0x0000000000430000-0x0000000000442000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2840-111-0x000007FEF66E0000-0x000007FEF70CC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2840-75-0x000007FEF66E0000-0x000007FEF70CC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2840-76-0x000007FEF66E0000-0x000007FEF70CC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2840-77-0x000007FEF66E0000-0x000007FEF70CC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2840-104-0x000007FEF66E0000-0x000007FEF70CC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2840-98-0x000007FEF66E0000-0x000007FEF70CC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2840-84-0x000007FEF66E3000-0x000007FEF66E4000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2992-28-0x0000000180000000-0x0000000180025000-memory.dmp

    Filesize

    148KB

    Download

  • memory/2992-20-0x0000000180000000-0x0000000180025000-memory.dmp

    Filesize

    148KB

    Download

  • memory/2992-19-0x0000000000210000-0x0000000000230000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2992-18-0x00000000001E0000-0x00000000001E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2992-30-0x0000000180000000-0x0000000180025000-memory.dmp

    Filesize

    148KB

    Download

  • memory/2992-29-0x0000000180000000-0x0000000180025000-memory.dmp

    Filesize

    148KB

    Download

  • memory/2992-27-0x0000000180000000-0x0000000180025000-memory.dmp

    Filesize

    148KB

    Download